| First, setup a pair of tunnels. There are multiple tutorials doing this. You could check Arch Linux Wiki of how to. On my setup, I assigned a pair of /31 addresses to each side just for the internal communication. Then, if you want to use IPv4 NAT, set up SNAT and DNAT. I'm taking Linux's iptables for an example:
on the VPS: iptables -t nat -A PREROUTING -d <VPS Public IP>/32 -p tcp --dport port -j DNAT --to-destination <IP of another side of the WireGuard tunnel>
iptables -t nat -A POSTROUTING -o <VPS Internet facing NIC> -j MASQUERADE The first statement sets SNAT on IPv4 TCP (UDP is also possible) on a specified port. All packets going into this machine (dst = VPS public IP) will go into the other side of your WireGuard tunnel. -d <VPS Public IP>/32 makes sure that the packets forwarding to the VPN side won't get NATed.
If you need multiple ports or protocols, just duplicate this line. The second statement sets DNAT on the VPS. It makes the packets from your VPN side goes to the outside (sorry I'm not an expert in networking principals so that's my understanding). On your local side, you just set up the tunnel and set your machine's default gateway to your VPS's tunnel IP address. Make sure you add a static route to your VPS's public address (WireGuard Endpoint) if you are connecting WireGuard using an IPv4 endpoint or it will get routed to your tunnel and you will disconnect. I also sometimes setup IPv6 tunnels without NAT. On the VPS I just setup a WireGuard interface with /64 and assign each peer a /128. No NAT is needed for this case. |